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Abstract. The workflow satisfiability problem is concerned with deter- 
mining whether it is possible to find an allocation of authorized users to 
the steps in a workflow in such a way that all constraints are satisfied. 
The problem is NP-hard in general, but is known to be fixed-parameter 
tractable for certain classes of constraints. The known results on fixed- 
parameter tractability rely on the symmetry (in some sense) of the con- 
straints. In this paper, we provide the first results that establish fixed- 
parameter tractability of the satisfiability problem when the constraints 
are asymmetric. In particular, we introduce the notion of seniority con- 
straints, in which the execution of steps is determined, in part, by the 
relative seniority of the users that perform them. Our results require 
new techniques, which make use of tree decompositions of the graph of 
the binary relation defining the constraint. Finally, we establish a lower 
bound for the hardness of the workflow satisfiability problem. 



1 Introduction 

A business process is a collection of interrelated steps that are performed in 
some predetermined sequence in order to achieve some objective. It is increas- 
ingly common to automate business process and for business process manage- 
ment systems or workflow management systems to control the execution of the 
steps comprising the business process. A workflow speciflcation is an abstract 
representation of a collection of business steps, together with dependencies on 
the order in which steps should be performed. A workflow specification may be 
instantiated and its execution controlled by a workflow management system. 

In many situations, we wish to restrict the users that can perform certain 
steps. On the one hand, we may wish to specify which users are authorized to 
perform particular steps. The workflow management system will prevent a user 
from performing any step for which that user is not authorized. In addition, we 
may wish, either because of the particular requirements of the business appli- 
cation or because of statutory requirements, to prevent certain combinations of 
users from performing particular combinations of steps. In particular, there may 
be pairs of steps that must be executed in any given instance of the workflow 
by different users, the so-called "two- man rule" (or "four-eyes rule"). Similarly, 



we may require that two or more steps in any given instance are performed 
by the same user. These constraints are sometimes known in the hterature as 
separation-of-duty and binding-of-duty constraints, respectively. 

The existence of constraints on the execution of a workflow raises the question 
of whether a workflow specification can be realized in practice. As a trivial 
example, a workflow with two steps and the requirement that a different user 
performs each of the two steps cannot be realized by a user population with a 
single user. Therefore, it is important to be able to determine whether a workflow 
is satisfiable: Does there exist an allocation of authorized users to workflow steps 
such that every step is performed by an authorized user and are all constraints 
on the execution of steps satisfied? 

A brute-force approach to answering the question gives rise to an algorithm 
that has running time 0{cn^), where c is the number of constraint^, n is the 
number of users and k is the number of steps. Moreover, it is known that deter- 
mining the satisfiability of a workflow specification is NP-hard in general [IS] . 
However, it has also been shown that some interesting special cases of the prob- 
lem are fixed-parameter tractable, meaning that there exists an algorithm to 
solve them with running time 0{f{k)n'^), where d is some constant (indepen- 
dent of k and n). The existence of such an algorithm suggests that relatively 
efficient methods can be developed to solve interesting cases of the workflow 
satisfiability problem. 

Wang and Li established that satisfiability is fixed-parameter tractable when 
we restrict attention to separation- and binding-of-duty constraints [15i . Cramp- 
ton et al. developed a novel analysis of the problem, which reduced the com- 
plexity considerably, but retained the focus on separation- and binding-of-duty 
constraints In this paper, we consider a new class of constraints, in which the 
users that perform two steps are different and one is senior to the other. Senior- 
ity constraints are asymmetric, in contrast to separation- and binding-of-duty 
constraints, and this means that existing techniques for determining workflow 
satisfiability cannot be applied to workflow specifications that contain such con- 
straints. 

In this paper, we introduce novel techniques for determining workflow satis- 
fiability when the specification includes seniority constraints. These techniques 
are based on the tree decomposition of the graph of the seniority relation and 
the application of dynamic programming to a particular form of tree decompo- 
sition. This enables us to establish that the workflow satisflability problem is 
fixed-parameter tractable when the partial order defined over the set of users 
has Hasse diagram (viewed as an acyclic digraph) of bounded treewidtt|f|. As we 
will see, many user hierarchies that arise in practice have bounded treewidth. 
However, our result is highly unlikely to hold for an arbitrary partial order de- 
fined over the set of users. Moreover, we show that it is impossible to obtain 



^ Here and in the rest of the paper, all constraints are binary and a constraint can be 

checked in constant time. 
^ We define treewidth of a graph in Sec. [31 
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an algorithm for the general case of WSP with running time significantly better 
than 0{cn^), assuming the Exponential Time Hypothesis (ETH) [TT] holds. 

We conclude this section by providing some terminology and notation on 
directed and undirected graphs. In the next section, we introduce the workflow 
satisfiability problem and further justify the relevance of seniority constraints. In 
Sec. [31 we describe tree decompositions, define treewidth and show its relevance 
to practical seniority constraints, and establish some elementary, preparatory 
results. Section|3]establishes fixed-parameter tractability of the above-mentioned 
"treewidth bounded" case of the problem and the following section establishes a 
lower bound for the complexity of the general problem (assuming ETH holds). 
We conclude the paper with a summary of our contributions, a discussion of the 
significance of our results, and some suggestions for future work. 

Terminology and Notation for Graphs Let G be a directed or undirected graph 
and let X be a set of vertices of G. The subgraph G[X] of G induced by X is 
obtained from G by deleting all vertices not in X. Let _D be a directed graph. The 
underlying graph U [D) is the undirected graph obtained from D by removing 
orientations from all arcs of D. We say that D is connected if U{D) is connected. 
We say that D is transitive if for every pair x,y oi distinct vertices, if there is 
a directed path from x to y then D contains an arc from x to y. We say that a 
directed graph H is the transitive closure of D if there is an arc from x to y in H 
whenever there is a directed path from x to y m. D. The degree of a vertex x of 
D is its degree in U{D). Let H he & directed or undirected graph. For a natural 
number £, we say that H is ^-degenerate if H[X] has a vertex of degree at most 

1 for each set of vertices X of 77. As an example, consider a forest. Note that it 
is 1-degenerate. Let D be a digraph, Y a set of vertices of D, and y, z vertices 
in _D — y. We say that Y separates y from z if D — Y has no directed path from 
y to z. 

2 Workflow Satisflability 

Suppose we are given a workflow specification comprising a set S of k steps. A 
workflow constraint has the form (p, s',s"), where s',s" G S and p is a binary 
relation defined over a set U oi n users. For each step s G S, there is a list L{s) 
of users authorized to perform s. A function tt from S to U is called a plan. We 
say that a plan tt satisfies constraint (p, s', s") if (7r(s'), 7r(s")) £ p. 

For a set, {pi, . . . , pt}, of binary relations on U, an instance I of the workflow 
satisfiability problem WSP(pi, pt) is given by a list L{s) for each s G S* and a 
set C of constraints of the form (p, s' , s"), where s' , s" G S and p G {pi, . . . , pt}; 
we are to decide whether there is a valid plan, i.e., a plan tt such that the following 
hold: 

— for each s G S", 7r(s) G L{s); 

— TT satisfies each constraint {pi,s',s") G C. 

If I has a valid plan, it is called a YES-instance. Otherwise, it is a No-instance. 
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Let < be a partial order on U. We will consider constraints of the form 
(p, s', s"), where p is one of =, 7^, <, and s', s" G S*. A plan n satisfies: 

- i<,s',s") if ^(s') <^(s"). 

Consider a business process for handling expenses claims, which is illustrated 
in Fig. [1] Such a workflow might include four steps: the preparation of an ex- 
penses claim (PrepC), the approval of the claim (AppC), the preparation of the 
payment (PrepP), and the approval of the payment (AppP). We might assume 
that most, if not all, users in an organization are authorized to prepare an ex- 
penses claim. We require that the user who approves a claim is senior to the 
user who prepares a claim. Note that it would be either difficult or impractical 
to enforce this rule simply by restricting the users who are authorized to ap- 
prove claims. (We could authorize only the most senior user to approve expenses 
claims, but this is unnecessarily limiting and places an onerous burden on a sin- 
gle individual.) Similarly, we require that the user who approves a payment be 
senior to the user who prepares the payment. In addition, we require that the 
user who prepares the expenses claim is different from the one who prepares the 
payment, and the user that approves the claim is different from the user who 
prepares the payment and from the one who approves the payment. 




(a) Ordering on steps (b) Constraint graph 



Fig. 1. A simple constrained workflow for purchase order processing 

It is perhaps worth noting at this stage that the use of an access control 
model that incorporates some notion of seniority (role-based access control and 
information flow models being obvious candidates) does not necessarily enforce 
the desired constraints. We might assign the PrepC and AppC steps to two dif- 
ferent roles r and r', say, with r < r' . However, this does not enforce the desired 
constraint: a user assigned to r' is indirectly assigned to r and is, therefore, 
authorized to perform both steps. 

It is worth noting, however, that access control models do define (albeit 
indirectly) an ordering on the set of users. In particular, we may define u < u' 
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if the set of steps for which u is authorized is a strict subset of the set of steps 
for which u' is authorized. The relation < is transitive. The relation <, where 
It < u' if and only if u < u' or u = u' is transitive, reflexive and anti-symmetric; 
that is, < defines a partial order on U. 

We also note that many organizations have user hierarchies that define the 
reporting and management lines within those organizations. If such a hierarchy 
exists, we may evaluate our seniority constraints with respect to such a hierarchy 
(rather than an ordering defined by the authorization policy). In many cases, 
such a user hierarchy will be a rooted tree, although our results do not require 
this and more complex hierarchies do arise in practice. At Royal Holloway, Uni- 
versity of London, for example, each of the three faculty Deans reports to and is 
managed by each of the three Vice Principals, as shown in Fig. [51 The complete 
bipartite subgraph within a user hierarchy that is a feature of this hierarchy also 
arises in the (graphs of the) relations of the preorders that are obtained from an 
authorization policy: each user in the set of users authorized for 5' C S* is senior 
to each user in the set of users authorized for S" C S'. 



Principal 




VPi VPa VP3 




Deani Deana Deans 

Fig. 2. Part of the user hierarchy at Royal Holloway 



2.1 Constraint Graphs 

Given a partial (irreflexive) order < on [/, let _ff be the transitive acyclic graph 
with vertex set U such that u < u if and only if there is an arc from u to w in H. 
We say H is the full graph of {U, <). Let D be an directed acyclic graph such 
that H is the transitive closure of D and the transitive closure of every subgraph 
D — a, where a is an arc of D, is not equal to H. Note that since H is acyclic, 
D is unique [11 (see also Sec. 2.3 of [3]). We say that D is the reduced graph (or 
Hasse diagram) of {U, <). 

A mixed graph consists of a set of vertices together with a set of undirected 
edges and a set of directed arcs. We may represent the set of constraints with a 
mixed graph as follows. 

First, we eliminate constraints of the form (=,s',s"). Specifically, we con- 
struct a graph P with vertices S in which s', s" G S are adjacent if X has a con- 
straint (=, s', s"). Observe that the same user must necessarily be assigned to all 
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steps in a connected component Q of P. Thus, if there is a pair s', s" e Q such 
that X has a constraint (7^, s', s") or (<, s', s"), then clearly I is a No-instance; 
thus we may assume that there is no such pair for any connected component 
of H. For each connected component Q oi P, replace all steps of Q in 5* by a 
"superstep" q. A user u is authorized to perform g if u is authorized to perform 
all steps of Q. That is, L{q) = Hssq ^(^)- 

The above procedure eliminates all constraints of the type {—, s', s") for the 
reduced set S of steps. All constraints of the types {j^,s',s") and (<,s',s") 
remain, but steps s' and s" are replaced by the corresponding supersteps. For 
simplicity of notation, we will denote the new instance of the problem also by I. 

Now we construct a mixed graph with vertex set S. For each constraint of 
the type {^,s' ,s"), add an edge between s' and s" . For each constraint of the 
type (<, s', s"), add an arc from s' and s" . We will refer to the resulting graph 
as the constraint graph (of I) . We will say an edge or arc in a constraint graph 
is satisfied by a plan tt if tt satisfies the corresponding constraint. 

It is worth noting that WSP(^) is rather closely related to graph colorability, 
where the assignment of users to tasks in such a way that separation-of-duty 
constraints are satisfied provides a coloring of the constraint graph and vice 
versaH. Note that the selection of a color for step s in the constraint graph 
prevents the use of only one color for steps connected by an edge to s. WSP(<, 7^) 
is an even more complex problem because it imposes a structure on the set of 
colors that are available, meaning that the selection of a color for s may preclude 
the use of many other colors for steps connected to s by an arc. 

Consider, for example, an organization with three users - Alice, Bob and 
Carol, where Alice is senior to Bob and Carol and all three users are authorized 
for all tasks. Then, our expenses claim workflow is not satisfiable. However, the 
workfiow specification is satisfiable if we replace the seniority constraints with 
separation-of-duty constraints. 

2.2 Related Work 

Suppose we have an algorithm that solves an NP-hard problem in time 
0{f{k)n'^), where n denotes the size of the input to the problem, k is some 
(small) parameter of the problem, / is some function in k only, and d is some con- 
stant (independent of k and n) . Then we say the algorithm is a fixed-parameter 
tractable (FPT) algorithm. If a problem can be solved using an FPT algorithm 
then we say that it is an FPT problem and that it belongs to the class FPlQ. 

Wang and Li initiated the study of the fixed-parameter tractability of work- 
flow satisfiability [T5]. They showed that the problem is W[l]-hard, in general, 
which implies that it is not FPT (unless the parameterized complexity hypoth- 
esis FPT ^ W[l] fails, which is believed to be highly unlikely). However, they 
were able to show that WSP(=, ^) is FPT. 

^ In fact, WSP(7^) is equivalent to the more general problem List Coloring, as the list 

L{s) imposes restrictions on the "colors" (users) that can be assigned to step s. 
* For more information on parameterized algorithms and complexity, see monographs 

mm- 
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Crampton et al. introduced new techniques for analyzing WSP(=,^) and 
significantly improved the complexity of FPT algorithms to solve the problem [B] . 
The approach of Crampton et al. is based on partitioning the set of steps and, 
for each block of steps in the partition, assigning a user to that block, where the 
user was authorized for each step in the block. The existence of such a partition 
and allocation of users to blocks demonstrates that a workflow specification is 
satisfiable. This method assumes that the allocation of a user to one particular 
block is independent of the allocation of users to other blocks: this assumption 
holds for separation- and binding-of-duty constraints; however, it does not hold 
for seniority constraints because the choice of a senior user for one block may 
limit the choices of user available for other blocks. 

Constraints of the form {p,s',s") have been called Type 1 constraints [6], 
and were formally introduced by Crampton [S] . Wang and Li introduced Type 2 
constraints [TS], which have the form (p, s', S"), where S' C S and the constraint 
is satisfied by plan tt if there exists s" G S' such that (7r(s'), 7r(s")) G p. Finally, 
Crampton et al. defined Type 3 constraints [B], which have the form (p, S", S"), 
where S", S" C S and the constraint is satisfied if there exist s' £ S' and s" £ S" 
such that {■k{s'),7t{s")) £ p. 

Crampton et al. [7] showed that it is possible to rewrite a workflow spec- 
ification containing Type 2 or Type 3 constraints as a collection of workflow 
speciflcations, each containing Type 1 constraints only. Moreover, the number 
of workflow specifications is determined by k (the number of steps) only, which 
means that the existence of an FPT algorithm for Type 1 constraints can be 
used to establish the existence of an FPT algorithm for specifications containing 
any combination of Type 1, 2 or 3 constraints. In this paper, we demonstrate 
the existence of an FPT algorithm for Type 1 constraints containing the < rela- 
tion provided the reduced graph D is of bounded treewidth. The prior work of 
Crampton et al. [7] enables us to construct an FPT algorithm for Type 2 and 3 
constraints. 



3 Tree Decompositions and Treewidth 

Tree decompositions provide a means of representing a (directed) graph using a 
tree. Subsets of the graph's vertices form the nodes of the tree, in such a way that 
a subtree containing a particular vertex is connected and the subtrees associated 
with the end-points of an edge in the graph have nonempty intersection. The 
treewidth of a graph G is a measure of the minimum number of vertices that 
are required in each node of a tree in order to construct a tree decomposition 
of G. Treewidth is known to be an important parameter when considering the 
complexity of graph-related problems that are NP-hard in general. As we will 
see, treewidth plays an important role in the complexity of the workflow satisfi- 
ability problem when we define a transitive relation < on U and define workflow 
constraints in terms of <. 
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Definition 1. A tree decomposition of a (directed) graph G — {V,E) is a pair 
{T,X), where T = {V-r,E^) is a tree and X — {Bi : i G VV} is a collection of 
subsets of V called bags, such that 

2. For every edge (arc) xy £ E, there exists i G Vj- such that {x,y} C Bi. 

3. For every x ^V, the set {i : x d Bi} induces a connected subtree ofT. 

The width of {T,X) is maxigy^ \Bi\ — 1. The treewidth of a graph G is the 
minimum width of all tree decompositions of G. 

To distinguisli between vertices of G and T, we call vertices of T nodes. We 
will often speak of a bag B interchangeably with the node it corresponds to in T. 
Thus, for example, we might say two bags B^ B' are neighbors if they correspond 
to nodes in T which are neighbors. We define the descendants of a bag B as 
follows: every child of ;B is a descendant of B, and every child of a descendant 
of S is a descendant of B. At the same time, we will say B = B' \i B, B' contain 
the same vertices, while still treating them as different bags. 

It is well-known that a connected graph is of treewidth 1 if and only if it 
is a tree with at least one edge P^. Every tree T with at least one edge has 
the following tree decomposition T of width 1: for every vertex a; of T let {x} 
be a bag of T and for every edge xy of T let {x, y} be a bag of T. Two bags 
are adjacent in T if one of them is a proper subset of the other. For the graph 
depicted in Fig. [1] (b) there is a tree decomposition of width 2: it has two bags 
{AppC, PrepC, PrepP} and {AppC, AppP, PrepP} connected by an edge. 

The graph of Fig. [2] has a tree decomposition of width 3, as shown in Fig. [31 
The graph of Fig. [2] can be extended as follows to more fully reflect the Royal 
Holloway management hierarchy. Each faculty at Royal HoUoway has several 
academic departments each led by Head of Department (HoD) and so we may 
add HoD's, each with an arc to the corresponding Dean, and non-HoD members 
of staff, each with an arc to the corresponding HoD. This extension of the graph 
of Fig. [2] essentially adds just trees to the graph and it is not hard to check that 
the treewidth of the extended graph is still 3. 

The Royal Holloway management hierarchy is not exceptional in the following 
sense: it is unlikely that a member of staff will have many line managers (quite 
often there is only one line manager). Thus, it does not seem unreasonable to 
expect the reduced graph of the corresponding partial order to have bounded 
treewidth and for the treewidth to be rather small. Moreover, our Royal Holloway 
example indicates that construction of (near-)optimal tree decompositions for 
such hierarchies may be not hard. 

It is NP-complete to decide whether the treewidth of a graph G is at most r 
(when r is part of input) ^ . Bodlaender [51 obtained an algorithm with running 
time 0{f{r)n) for deciding whether the treewidth of a graph G is at most r, 
where n is the number of vertices in G and / is a function depending only on 
r. This algorithm constructs the corresponding tree decomposition with 0{n) 
nodes, if the answer is Yes. Unfortunately, / grows too fast to be of practical 



8 



Principal 
VPi VP2 VPs 




Fig. 3. Tree Decomposition of Royal Holloway management hierarchy 



interest. However, there are several polynomial-time approximation algorithms 
and heuristics for computing the treewidth of a graph and the corresponding 
tree decomposition, see, e.g., [5]. 

We now describe a special type of tree decomposition that is widely used 
to construct dynamic programming algorithms for solving problems on graphs, 
called a nice tree decomposition. In a nice tree decomposition, one node in T is 
considered to be the root of 7", and each node i G Vj- is of one of the following 
four types: 

1. a join node B has two children B' and B" , with B = B' = B" ; 

2. a forget node B has one child B', and there exists u ^ B' such that B = 
B'\{u}- 

3. an introduce node B has one child B' , and there exists u ^ B' such that 
B = B'U {u}; 

4. a leaf node S is a leaf of T. 

The following useful lemma, concerning the construction of a nice tree de- 
composition from a given tree decomposition, was proved by Kloks |12L Lemma 
13.1.3]. 

Lemma 1. Given a tree decomposition with 0{n) nodes of a graph G with n 
vertices, we can construct, in time 0{n), a nice tree decomposition of G of the 
same width and with at most An nodes. 

Lemma 2. Let D be a (directed) graph, {T,X) a tree decomposition ofD, and 
let Y he a set of vertices in D such that D\Y] is connected. Then the set of bags 
containing vertices in Y induces a connected subtree in T. 

Proof. The proof is by induction on \Y\. The base case, \Y\ — 1, follows from 
Definition [TJ Let y £ Y such that D[Y \ {y}] is connected and suppose that the 
set of bags containing vertices in F \ {y} induces a connected subtree T' of T. 
Let z €Y such that yz is an edge of I?. By Definition [TJ y and z belong to the 
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same bag B and observe that B is in T'. Thus, the subtree of T induced by the 
bags containing y and T' intersect and so the set of bags containing vertices in 
Y induces a connected subtree in T. □ 

Lemma 3. Let D be the reduced graph for [U, <). Let u,v be users and B a set 
of users such that u ^ v and u,v ^ B, and B separates u from v in D. Then 
u < V if and only if there exists w d B such that u < w and w < v. 

Proof. By transitivity, if u < w < v then u < v. For the other direction, suppose 
u < V. Then by the definition of D there must exist a directed path from uio v 
in D. Since B separates u and v, this path must contain a user w in B. Therefore 
u < w and w < v. □ 



4 FPT Algorithm for Bounded Treewidth 

In this section, we consider the special case of the problem when the reduced 
graph D of {U, <) is of bounded treewidth. In other words, in this section, we 
assume that the treewidth of D is bounded by a constant r. Note that D may 
have much smaller treewidth than the full graph H. For example, when < is a 
linear order on U, then H is a, tournament with treewidth \U\ — 1, but D is a 
directed path with treewidth 1. 

Theorem 1. Let I be an instance o/ WSP(=,^,<) and let D be the reduced 
graph of {U, <). Given a tree decomposition of D of treewidth r and with 0(n) 
nodes, we can solve X in time 0{nk^(r + 2 + 3''"'""'^)'^), where k is the number of 
steps and n is the number of users. 

By Lemma[l] assume we have a nice tree decomposition (7~, X) of D of width 
r and with at most An nodes. Henceforth, we assume that we have constructed 
a nice tree decomposition for the instance I. 

Before proving the above result, we provide an informal insight into our 
approach. Dynamic programming is a well known technique that is used to solve 
a problem by systematically solving subproblems, each of which may contribute 
to the solution of other (typically larger or more complex) subproblems. For 
example, one might solve all subproblems of size i, and use these to solve all 
subproblems of size i + 1, or one might make use of structural graph properties, 
such as tree decompositions. 

In the case of WSP(=;^,<) we use dynamic programming techniques to 
compute solutions to restricted instances of the original problem instance, and for 
each of these restricted instances, we construct possible intermediate solutions 
for each bag in the nice tree decomposition. Working from the leaves of the 
decomposition back to the root, we extend intermediate solutions for child nodes 
to an intermediate solution for the parent node. The existence of an intermediate 
solution for the root node, implies the existence of a solution for the original 
problem instance (Lemma S]). Then, in Lemma [51 we establish the complexity of 
computing an intermediate solution, thereby completing the proof of Theorem[TJ 
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Roughly speaking, for every subset T of the set S of steps, each bag B in the 
tree decomposition of D, and each step x in T, we keep track of which user in B, 
if any, x is to be assigned to, and otherwise what relation the user assigned to 
X should have to the users in B. Before proceeding further, we introduce some 
definitions and notation. 

Let us say that u > v ii v < ti, and u ~ w if neither u < v nor v < u. Define 
the relation of v to u, a, function (l>{v, u) from the set of all pairs of users to the 
set of three symbols [<], [>], [~], as follows: 



(l){v,u) 



[<] \iv <u 
[>] \{v>u 



For each bag B — {ui, 7/2, • • ■ , Wp} in X, and each user v ^ B, define the 
relation of v to B, TZ{v, B) to be the ordered tuple {4'{v, u\),.. ., (j){v, Up)). 

Definition 2. Given a workflow instance X with constraint graph G = {S,E), 
a bag B in the nice tree decomposition of {U, <), a set of steps T and a function 
R : T ^ BU {[<], [>], H}'^', we say TT : T ^ U is a (B, T, J?)-plan if the 
following conditions are satisfied: 



tt{x) € L{x) for each x G T; 

if there is an edge between x and y in G[T], then Tr{x) ^ 7r(2/); 

if there is an arc from x to y in G[T], then 7r{x) < 7r(y); 

for each step x, tt(x) is either a user in B or a user in a descendant of B; 

for any x G T , u ^ B, 7r(a;) = u if and only if R{x) = u; 

ifR{x) ^ B, then 7^(7^(a;),B) = R{x). 



R provides a partial allocation of users in B to steps in T; where no user is 

allocated, R identifies the relationships that must hold between the user that 
is subsequently allocated to the task and those users in B. The existence of a 
{B, T, Ji)-plan means that we can extend i? to a full plan tt by traversing the 
nice tree decomposition. 

We may now define the function that is central to our dynamic programming 
approach. For every bag B in the tree decomposition of D, every subset T of S, 
and every possible function R : T ^ B U {[<], [>], h]}l^l, define F{B,T,R) = 
True if there exists a {B, T, i?)-plan and False otherwise. 

Lemma 4. Let Bq he the root node in the nice tree decomposition of D. Then 
I is a YES-instance if and only if there exists a function R : S ^ Bo [J {[<],[> 
], such that F{Bo, S, R) = True. 

Proof. By the first three conditions on F(Bo, S, R) being True and the definition 
of the constraint graph G, it is clear that if F{Bo, S, R) = True for some R then 
we have a YES-instance. So now suppose I is a YES-instance, and let tt : 5 — >■ J7 
be a valid plan. Then for each x E S, lot R{x) = it{x) if it{x) G Bq, and otherwise, 
let R{x) = TZ{n{x), B). Then observe that all the conditions on F{Bq, S, R) being 
True are satisfied and therefore F{Bo, V, R) = True. 
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Lemma 5. We can compute F{B, T, R) for every bag B in X , every T C S, and 
every RiT^BU {[<], [>], H}'^' time 0{nM^{r + 2 + 'y+'^f). 

Proof. We will start by constructing, in advance, a matrix C = \Ls^v\s&s,u^u 
such that Ls^u = 1 if m G L{s) and Ls^u = 0, otherwise. This will take time 0{kn). 
Let B be in A", T a subset of S*, and R a function from T to SU{[<], [>], H}'^'- 
Recall that every bag B is either a leaf node, a join node, a forget node or an 
introduce node. We will consider the four possibilities separately. 

;B is a leaf node. Since B has no descendants, F{B, T, R) = False unless 
R{x) G B for every a; G T. So now we may assume R{x) G B for all x. But 
then the only possibility for a (B, T, i?)-plan is one in which tt{x) = R{x) for 
all X. Therefore we may check, in time 0{k'^), whether this plan satisfies the 
(first three) conditions on F(B,T,R) being True. (Use matrix C to check that 
■k{x) G L{x) for all x G T.) If it does, F{B, T, R) = True, otherwise F{B, T, R) = 
False. 

For the remaining cases, we may assume that F{B', T, R) has been calculated 
for every child of B' of B and every possible T, R. 

;B is a forget node. Let B' ~ {wi, ii2. • ■ • , Wp} be the child node of B and 
assume without loss of generality that B = {ui, U2, . . . , Up-i}. For i G — 1], 
let Xi be the set of steps in T with R{x) = Ui. 

Suppose that tt is a {B, T, i?)-plan. Then let R' : T -)■ B' U {[<], [>], Hl'^'' 
be the function such that R'{x) = n{x) if Tr{x) G B', and R'{x) = 7i{Tr{x),B') if 
7r(a;) ^ B'. It is clear that F{B',T,R') = True. Now we show some properties 
of R. 

Firstly, since tt is a (S, T, i?)-plan, it must be the case that 7r(x) = R{x) 
if R{x) G B and therefore R'{x) = R{x) if R{x) G B. Secondly, since tt is a 
{B, T, i?)-plan and Up ^ B, it must be the case that 7r(x) = Up only if R{x) = 
n{up, B). Therefore R'{x) = Up only if R{x) = n{up, B). Finally, for a: G T with 
R'{x) ^ B', let R{x) = {xu,,Xu2,...,Xu^_-^) and let R'{x) = . . . 

Since tt is a (S, T, ii)-plan and a {B' ,T, R')-plan, we must have that Xu^ = 
(j){TT{x),Ui) = x'^. for alH G [p — !]• That is R{x) and R'{x) are the same except 
that R'{x) has the extra co-ordinate x'^^. It follows that to obtain R! from i?, 
we merely need to guess which x with R{x) — 7i{up,B) are assigned to Up by 
R', and for all other x, what the value of Xup should be. 

Therefore, in order to calculate F{B,T, R), we may do the following: Try 
every possible way of partitioning T \ {Xi U X2 U • • • U Xp-i) into four sets 
Xp, X<, X>, X^, subject to the constraint that x G Xp only if R{x) = TZ{up, B). 
For each such partition, construct a function R' : T — >■ S' U {[<], [>], [~]}'^ ' 
such that 

1. R'{x) = Rix) if i?(x) G B. 

2. R'lx) = Up if X G Xp. 

3. For all other x, let i?(x) = (x„i , , . . . , J. Then R'{x) = 

«i><2'---'<p)' "^^^^^ <i = fo'" alH G [p- 1], and <^ = [<] if 
X G X<, x' = [>] if a; G X>, and x' = [-] if a; G X^. 
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and check the value of F{B\ T, R'). 

By the above argument, if F{B,T,R) = True then it must be the case 
that F{B' ,T, R') = True for one of the R' constructed in this way. Therefore 
if F(B',T,R') = False for all such R', we know that F{B,T,R) = False. 
Otherwise, if F{B',T,R') = True for some R', let tt be a T, i?')-plan, and 
observe that by construction of R' and Xp, tt is a {B, T, i?)-plan as well. Therefore 
F{B,T,R) = True. 

Finally, observe that there are at most possible values of R' to check 
and each R' can be constructed in time 0{k), and therefore we can calculate 
F{B,T,R) in time 0(fc4'=). 

B is an introduce node. Let B = {ui,U2, ■ ■ ■ ,Up}, let B' be the child node 
of B and assume without loss of generality that B' = {ui, M2, . . . , Wp-i}. Let 
C T be the set of aU a; G T with R{x) = Up, and let T' = T \ Xp. Define a 
function R' -.T' ^ B'U {[<], [>], H}'^'' as follows: 

1. R'{x) = R{x) if i?(a;) G B' . 

2. For all other x, let R{x) — {xu;^ , Xu2 , ■ ■ ■ , Xu^) . Then set R'{x) ~ 
«i;<2' ■ • ■ '^here x^^ = for all ie[p-l]. 

We will now give eight conditions which are necessary for F{B,T,R) = 
True. We will then show that these conditions collectively are sufficient for 
F{B, T, R) = True. Since each of these conditions can be checked in time 0{k^), 
we will have that F{B,T,R) can be calculated in time O(fc^). 

Condition 1: L^^up = 1 for each x G Xp. This condition is clearly necessary, 
as for every [B, T, i?)-plan tt we have 7r(x) — Up. 

Condition 2; Xp is an independent set in G. Since in any (S, T, i?)-plan, all 
steps in Xp must be assigned the same user, any arc or edge between steps in 
Xp will not be satisfied. 

Condition 3.' // there exists x G Xp, y ^ Xp with an arc from y to x in G, 
then either R{y) = Ui for some Ui G B' with Ui < Up, or R{y) = (yui, ■ ■ ■ ,yup) 
with yup — [<] . For if not, then any {B, T, i?)-plan will assign y to a user v such 
that V > Up or V ^ Up, and the arc yx will not be satisfied. 

Condition 4: If there exists x G Xp, y ^ Xp with an arc from x to y in G, 
then either R{y) — Ui for some Ui G B' with Ui > Up, or R{y) ~ (yun ■ ■ ■ ,2/tip) 
with Up — [>]. The proof is similar to the proof of Condition 3. 

Condition 5; // there exists y ^ Xp such that R{y) = {ym , ■ . ■ , yup) with 
Vup — [<]; then there must exist Ui G B' with y^^ = [<] and Ui < Up. For 
suppose there is a (6, T, i?)-plan tt, and let v — 7r(?/). Note that v must be in a 
descendant of B but not in B'. Therefore B' separates v from Up in D, for any v 
in a descendant of B. (This follows from Lemma [2] where Y is the vertices of a 
path between v and Up). Then by Lemma |31 as v < Up there exists Ui G B' with 
V < Ui < Up. Therefore yy. = [<]. 

Condition 6; // there exists y ^ Xp such that R{y) — {ym , ■ . ■ , yup) with 
2/„ = [>], then there must exist Ui G B' with = [>] and Ui > Up. The proof 
is similar to the proof of Condition 5. 
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Condition 7; // there exists y ^ Xp such that R{y) — {ym , ■ ■ ■ ^ yup) with 
Uup = [^]7 then there is no Ui Cz B such that y^ = [<] and Ui < Up, or = [>] 
and Ui > Up. For suppose there is a {B, T, i?)-plan tt, and let v = T:{y). Suppose 
for a contradiction that there exists Ui d B such that y^^ — [>] and Ui > Up. 
(The case y^ = [<] and Ui < Up is handled similarly). Then v > Ui and so by 
transitivity, v > Up. But this is a contradiction as yup = [~]- 

Condition 8; F{B',T',R') = True. For suppose tt is a T, i?)-plan. Then 
observe that by construction of i?', tt restricted to T' is a (S', T', i?')-plan. 

It now remains to show that if Conditions 1-8 hold then [B, T, R) = True. 
Let tt' be a (S', T', i?')-plan whose existence is guaranteed by Condition 8, and 
let TT be the extension of tt' to T in which 7t{x) = Up for all x G Xp — T \ T'. 
Since tt' is a T', i?')-plan, 7r(a;) G L{x) for all x G T', and by Condition 1, 
7t{x) e L{x) for all x € Xp. For every x with R{x) £ B, we have that tt{x) = R{x) 
by the fact that tt' is a (S', T', i?')-plan and R{x) — Up for aU x £ Xp. 

Now consider x with ^ B. Then let = , x„2 , . . . , By 

construction of R' and the fact that tt' is a (i3', T', i?')-plan, (j){TT{x),Ui) — x^ 
for i £ [p — 1]. Suppose Xup — [<]■ Then by Condition 5, there exists Ui € B' 
with Xui — [<] and Ui < Up. Therefore tt{x) < Ui and so tt(x) < Up. Therefore 
<p{TT(x),Ui) = [<]. Similarly, using Condition 6, if Xup = [>] then (f){TT{x), B) = [> 
]. If (/)(7r(x). Mi) = [~] then by Condition 7 there is no Ui £ B' with tt{x) > Ui > Up 
or tt{x) < Ui < Up. Then by Lemma |21 tt{x) ~ Up and so (/()(7r(x), Up) = [^^J. In 
each case we have that 4>(tt{x),Up) = x^p and so TZ{tt{x),B) = R(x). 

It is clear that for each step a:, tt{x) is either in B or in a descendant of B. It 
remains to show that the arcs and edges in G\T] are satisfied by tt. 

As tt' is a (S', T', i?')-plan, every arc and edge in G[T'] is satisfied by tt. 
By Condition 2 there are no edges and arcs within G[Xp]. It remains to show 
that the arcs and edges between Xp and T' are satisfied by tt. Consider an edge 
between x £ Xp and y £ T' . Since tt{x) = Up, and 7r(y) 7^ (since Up does 
not appear in B' or any descendant of B' by definition of a tree decomposition), 
this edge is satisfied. Now suppose there is an arc from y £ T' to x £ Xp . By 
Condition 3, either 7r(y) = R{y) = Ui with Ui < Up, or y^^ = [<], in which case 
TT{y) < Up (as we have shown (j)(TT{y,Up) = yup). In either case 7r(j/) < tt{x) and 
so the arc is satisfied. Similarly, if there is an arc from x £ Xp to y £ S", then 
by Condition 4 7r(y) > tt[x) and the arc is satisfied. 

Thus TT satisfies all the conditions of a {B, T, ii!)-plan and so F{B, T, R) = 
True. 

i3 is a join node. Let B' , B" be the two child nodes of B, and recall that B' and 
B" contain the same users as B. Let X be the set of all x £ T with R{x) £ B. 

Let vr be a {B, T, i?)-plan. Then let X' be the set of all x £ T \ X such that 
7r(x) = V for some w in a descendant of B', and let X" be the set of all x £ T \ X 
such that 7r(x) = v for some w in a descendant of B" . (Observe that X,X',X" 
is a partition of T.) Let T' — X L) X' and let R' be the function R restricted to 
T'. Similarly let T" ^ X U X" and let R" be the function R restricted to T". 
Then observe that F{B',T',R') = True and F{B",T",R") = True. 
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Now consider an arc from x ^ X' to y ^ X" . Then ■k{x) < Tr{y). Since B 
separates Tr{x) from 7r(y) (by Lemma [2] with Y the set of vertices on a path 
between 7r(x) and 7r(?/)), there must exist Ui G B such that ttIx) < Ui < 7r(y). 
Therefore a;„. = [<] and = [>]. Similarly, if there is an arc from y £ X" to 
X € X' then there exists Ui E B with a;„. = [<] and = [>]. 

We therefore have that if F{B, T, R) = True, then there exists a partition 
X',X" of T \ X such that F{B',T',R') = True and F{B",T",R") = True 
(where T', T", R', R" are as previously defined) and for any arc from x E X' to 
y G X" , there exists Ui E B with Xu^ = [<] and — [>] (and similarly for arcs 
from y £ X" to x G X'). We now show that the converse is true. 

Suppose these conditions hold, and let tt' be a (;B', T', i?')-plan and tt" a 
(S",T",i?")-plan. Note that for ah x e X, 7r'(x) = R{x) = tt"{x). Let tt be the 
assignment on S made by combining tt' and tt", i.e. 7r(x) = 7r'(a;) = n"{x) for 
a; e X, 7r(x) = 7r'(a;) for a; G X' , and 7r(a;) = 7r"(a;) for x G X". 

Observe that by definition of vr' and tt", ia;.7r(x) — 1 for all a; G T, 7r(x) = i?(a;) 
if i?(a;) G S, and otherwise TZ{tt{x),B) — R{x). Any edges and arcs in G[XUX'] 
are satisfied by tt, by definition of tt', and any edges and arcs in G[X U X"] 
are satisfied by tt, by definition of tt". It remains to consider the edges and arcs 
between X' and X" . Since the tasks in X' and X" are assigned to disjoint sets 
of users (by Lemma [U, any edge between and X' and X" is satisfied. If there is 
an arc from x G X' to y G X" , then by our assumption there exists Ui G B with 

= [<] and yui — [>]■ Therefore 'k{x) < Ui < 7r(y), and therefore ^{x) < 7r(y), 
and so the arc is satisfied. A similar argument applies when there is an arc from 
yeX" toxG X'. 

Since there are at most 2l"^l possible ways to partition T\X into X' and X" , 
we can calculate F{B,T,R) in 0(2'^) time. 

The above bounds show that, provided all the values for descendants of B 
have been computed, F{B,T,R) can be calculated in time 0{M'^), for each 
possible B, T and R. It remains to count the number of possible values of B, T and 
R. There are at most 4n values of B. Calculating F{B, T, R) for every T and R can 
be viewed as calculating F for every function i?* : S 6U{[<], [>], H}l^lu{0}, 
T being defined as the set of steps not mapped to 0. Finally, for each step x in 
S there are r + 2 + 3'^'^^ possible values for R*{x) and therefore (r + 2 + 3''+i)'= 
possible values for R* . Therefore the total number of possible values of F{B, T, R) 
is 0{n{r + 2 + 3''+^)'^), and so every value F{B, T, R) can be calculated in time 
0(nM'=(r + 2 + 3'~+i)'=). □ 

5 Hardness 

The main theorem of this section establishes a lower bound for the complexity of 
the workfiow satisfiability problem. In fact, we show that in general, the trivial 
0(n'^) algorithm is nearly optimal. Our result assumes the Exponential Time 
Hypothesis (ETH) of Impagliazzo, Paturi, and Zane ^TT\: that is, we assume that 
there is no 2°("^-time algorithm for n-variable 3-SAT. 
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Theorem 2. WSP(=,7^,<) cannot be solved in time f{k)n°^'^^' unless ETH 
fails, where f is an arbitrary function, k is the number of steps and n is the 
number of users. This results holds even if the full graph of{U, <) is 2-degenerate. 

The proof of Theorem [5] can be found in the appendix. It is well-known (see, 
e.g., [TU]) that ETH is stronger than the widely believed complexity hypothesis 
W[l] 7^ FPT. Thus, we have the following: 

Corollary 1. WSP(=, ^, <) ts not FPT unless W[l] = FPT. This results holds 
even if the full graph of (U, <) is 2-degenerate. 

This corollary proves that while the class of treewidth bounded graphs is 
sufficiently special to imply an FPT algorithm, considering the more general 
class of graphs of bounded degeneracy does not make the problem any easier. 

6 Concluding Remarks 

The main contribution of this paper is the development of the first FPT algo- 
rithm for WSP(=,7^, <), where < is a (transitive) relation on the set of users. 
Unlike WSP(=, ^) which is FPT in the general case, WSP(=, ^, <) is not FPT 
unless W[1]=FPT, which is highly unlikely. In fact, under a stronger hypothesis 
(ETH) we have shown that we even cannot have an algorithm significantly faster 
than the trivial brute-force algorithm. Thus, it is natural to identify special cases 
of WSP(=, <) that are in FPT and of practical relevance. We have done this 
by restricting the reduced graph D of {U,<) to lie in the class of graphs of 
bounded treewidth. We believe that this restriction on treewidth holds for many 
user hierarchies that arise in practice. On the other hand, we have also shown 
that the restriction of the reduced (or even full) graph to the class of 2-degenerate 
graphs does not reduce the complexity of the problem. 

Our FPT algorithm is efficient for small values of the number of steps k and 
the treewidth r of D (we may view fc -I- r as a combined parameter). However, it 
is quite often the case that the first FPT algorithm for a parameterized problem 
is not efficient except for rather small values of the parameter, but subsequent 
improvements bring about an FPT algorithm efficient for quite large values 
of the parameter [10114) . We believe that a more efficient FPT algorithm for 
WSP(=,^,<) may be possible and we hope to be able to report progress in 
this area. 

One natural extension of this work is to consider the preorder generated 
from an authorization policy, where u Q u' iS the set of steps for which u 
is authorized is a subset of the set of steps for which u' is authorized. This 
ordering is weaker than that defined in Sec. [2] and used throughout the rest of 
the paper, which required that the set of steps for which u is authorized to be 
a strict subset of those for which u' is authorized. Hence, we may have u Q u' 
and u' \Z u but u ^ u' . In fact, such an ordering defines sets of users that 
are indistinguishable, in the sense that they are authorized for the same set of 
steps. Hence, we might reasonably consider WSP(=, 7^, ~, 't^), where u ~ u' 
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if u and u' are indistinguishable. Of course, the graph of C is not acyclic, as 
cycles of length two will exist between any pair of indistinguishable users, so 
new techniques may be required to determine whether this problem is FPT or 
not. 
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A Proof of Theorem [2] 



In order to prove Theorem [21 we first consider the following problem and prove 
the following lemma. 



SubTDAG isomorphism 

Input: Transitive acyclic digraphs D ~ {Vd,Ad) and R — {Vr^Aji), 

a subset Wr — {wi, . . . , uiiw^i} of Vr, and disjoint subsets 

Wd,i,---,Wd,\Wr\ of Vd- 
Parameter: {VrI 

Question: Is there an injection 7 : Vr — ?> Vd such that ^(wi) G Wda for 
each i e and for every {u,v) e Ar, {■y{u),j{v)) G Ad? 



f k \ 

Lemma 6. SubTDAG isomorphism cannot be solved in time f{k)n°^'^' 
where f is an arbitrary function, n is the number of vertices in D and k is 
the number of vertices in R, unless ETH fails. This result holds even if D and 
R are 2-degenerate. 

To prove Lemma [HI we start by considering the following problem and a lemma 
by Marx p] . 



Partitioned Subgraph Isomorphism (PSI) 

Input: Undirected graphs H — {Vh,Eh) and G ~ {Vq — 

{gi, . . . ,gi},EG), and a partition of Vh into (disjoint) subsets 
Wh,i,...,Whj. 

Question: Is there an injection : Vq Vh such that for every i G [Z], 
(j){gi) G WH,i and for every {gi,gj) G Eq, {(j){gi),(j){gj)) G ErI 



Lemma 7. {Corollary 6.3, |T3]) Partitioned Subgraph Isomorphism can- 
not be solved in time /(fc)n°^i°s'=-' where f is an arbitrary function, k is the 
number of edges in G and n is the number of vertices in H , unless ETH fails. 

Proof of Lemma [51 The proof is by a reduction from the Partitioned 
Subgraph Isomorphism problem. We assume that we have an instance of PSI 
as described in the formulation of the problem above. We assume, without loss of 
generality, that there are no isolated vertices in G. Recall that the vertices of G 
are 51, ...,gi and let Wh,i = {x{ll), . . .,x{lri)}, . . .,Wh,i = {xill), . . .,x{lri)}. 
We now construct an instance of SubTDAG isomorphism. The digraph R is 
obtained from G by subdividing every edge and orienting all edges towards the 
new vertices. The vertex subdividing an edge gigj will be denoted by gij and 
so R will have arcs {gi,gij) and (gj,gij). Similarly, D is obtained from H by 
subdividing every edge and orienting all edges towards the new vertices. The 
vertex subdividing an edge x{iTi)x(jTj) will be denoted by x{iTi,jTj). It is easy 
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to verify that D and R are both 2-degenerate acyclic digraphs and both are 
transitive because they do not have directed paths of length 2. Let Wr — Vq 
and Wda = WH,i for each i e [I]. We claim that {G, H,Wha, ■ ■ ■ ,Wha) is a 
YES-instance of PSI if and only if (£>, R, Wr, Wd,i, • ■ • , Wd,i) is a YES-instance 
of SubTDAG isomorphism. 

Suppose that our instance of PSI is a YES-instance and let (f) be the required 
injection. By definition, (f>{gi) = x{iTi), where G [r^], for each i G [I]. Let 
7 : Vr — >■ Vd be defined as follows: 7(3^) = x{iTi) for each i 6 [Z] and ■y{gij) = 
x{iTi, jTj). Since 3^(7^ G i?G implies 4'{9i)4>(.9j) G -^ff ^-iid by the definition of 
7, if {gi,gij) 6 then (7(51), 7(3^)) € A^. Thus, our instance of SubTDAG 
ISOMORPHISM is a YES-instance, too. 

Now suppose that the instance of SubTDAG isomorphism is a YES-instance 
and 7 : Vr Vd is the corresponding injection such that 7(3^) = x{iTi), where 
Ti G [ri], for each i G [I]. By definition of 7, {gi,gij) G implies (x{iTi)^(gij)) G 
ylu and igj,gij) € Ar implies {x{jTj)^[gij)) G A^. By the construction of D, 
the above implies that ^{gij) = x(iTi, jrj). Now define an injection (/> : G — > i? as 
follows: (f>{gi) = j{gi) = xiiTi) for each i G The requirement that gigj G -Eg 
implies (j>{gi)(f>{gj) G E'ij follows from the fact that j{gij) = x{iTi,jTj). Thus, 
the instance of PSI is a YES-instance, too. 

Let kc be the number of edges in G and hh the number of vertices in H. 
Recall that k is the number of vertices in R and n is the number of vertices in D. 
By construction of R and D and the assumption that G has no isolated vertices, 
k = \Eg\ + \Vg\ = Oikc) and n ^ uh + \Ah\ ^ 0{n]j). 

An algorithm for SubTDAG isomorphism running in time f{k)n°^'^^ 

o( ''g ) 

implies an algorithm running in time f(kQ)n^ °'' ° for PSI, which along with 
Lemma [7] completes the proof of the lemma. □ 

Proof of Theorem [2] The proof is by a reduction from the SubTDAG 
isomorphism problem. Let {D,R,Wr,Wd,i, ■ ■ ■ ,WD\Wn\) be an instance of 
SubTDAG isomorphism. We construct an instance of WSP(=,7^,<) as fol- 
lows. We define the set U of users to be Vd and the set S of steps to be Vr. For 
every step m; G Wr, L{wi) = Wda, and for every step s G S" \ Wr, L{s) — U. 

We define the relation < on C/ as follows. For every x,y € U , x < y \i and 
only li X ^ y and there is a arc from a; to j/ in D. For every arc {u, v) G Ar, 
we add a constraint {<,u,v) and for every pair u,v of distinct non-adjacent 
vertices of R, we add a constraint (^, w, u). Let the instance of WSP(=, ^, <) 
thus constructed be I. We claim that {D, R, Wr, Wd,i, ■ ■ ■ , W^DjwH|)is a Yes 
instance of SubTDAG isomorphism iff I is a Yes instance of WSP(=, <). 

Suppose that {D, R,Wr,Wd,i, ■ ■ ■ ,Wu,\Wr\) is a YES-instance of 
SubTDAG isomorphism and let 7 be a required injection for this in- 
stance. We define a plan tt as tt{v) = 7(u) for every w G S'. It is easy to see that 
TT is an valid plan for I. 

Conversely, suppose that I is a YES-instance of WSP(=, ^, <) and let tt be 
a valid plan for this instance. We define a function 7 : Vr — )■ Vd as follows. 
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For every u e Vr, we set 7(u) = ■k{u). It remains to verify that 7 is a required 
injection for the instance {D, R, Wb., Wd.i, • ■ • , Wd,\Wr\)- We first show that 7 
is an injection. Suppose this were not the case and let u and v be two distinct 
vertices such that j{u) = "f{v). This imphes that tt{u) = 7r(w). But then this 
assignment satisfies neither the constraint {^,u,v) nor the constraint {<,u,v), 
which is a contradiction. Hence, we conclude that 7 is indeed an injection. Now, 
consider an arc S R. Since tt is a valid plan, tt{u) < Tr{v), which implies 

that 7(u) < 7(w), which by definition is possible only if {j{u), j{v)) E Ad- This 
completes the proof of correctness of the reduction. 

It remains to apply Lemma [H] to complete the proof of the theorem. □ 
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